Challenge

A large healthcare organization tapped WWT to conduct a security risk assessment of their certified electronic health record (EHR) technology, and identify security deficiencies as a part of their ongoing risk management process.

The security risk assessment would ensure the organization was meeting the privacy and security objectives of the EHR Incentive Program in order to qualify for incentive payments.

The security risk assessment encompassed a vulnerability assessment of more than 8,000 IP addresses, a network architecture review and a technical risk assessment. The organization needed to conduct these assessments and analyze possible vulnerabilities that may be exploited by malicious persons or activities.

Solution

WWT consultants used a proven methodology for conducting this assessment that included expert knowledge, state of the art tools, techniques, in-depth analysis, skilled training and repetition. We focused on the critical nature of the information being protected, processed or stored on vulnerable devices, and our report was specifically designed to help the healthcare organization’s management understand the severity, ease and business impact of exploitation.

We first had to identify all the devices in the organization’s network to ensure they were scanned for vulnerabilities. During the initial scan, we discovered nearly 100,000 medium- to high-risk vulnerabilities internally and externally. After evaluating the vulnerabilities, we were able to make correlations and pinpoint trends for the organization. This data analysis led to identifying patch management and configuration management as core problems for the organization.

In addition, we analyzed the customer’s security architecture and performed a technical risk assessment. During these assessments, a WWT security engineer reviewed and assessed network diagrams, firewall rules and router configurations that were provided by the healthcare organization. The network architecture as described by these documents was then evaluated against industry best practices and regulations related to HIPAA, NIST 800 and relevant sections of ISO 27002. We also documented many areas in which the organization would benefit from a consolidated active directory system in respect to efficiency, configuration and security.

Conclusion

WWT successfully performed the security audit and provided the organization with recommendations for treating all spectrums of their network architecture. Almost 90 percent of the vulnerabilities detected could be fixed by putting a comprehensive, systematic approach in place for patching. If implemented quickly, it could prevent many of the medium-risk vulnerabilities from becoming higher risk. The organization also plans to move forward with their consolidation to a single domain to strengthen their active directory configuration.